From advisories@atstake.com Wed Apr 9 01:47:43 2003
From: "@stake Advisories"
To: vulnwatch@vulnwatch.org
Date: Mon, 07 Apr 2003 10:09:14 -0400
Subject: [VulnWatch] Vignette Story Server sensitive information disclosure
(a040703-1)
[ The following text is in the "ISO-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
@stake, Inc.
www.atstake.com
Security Advisory
Advisory Name: Vignette Story Server sensitive information
disclosure
Release Date: 04/07/2003
Application: Vignette Story Server v4.1, 6
Platform: Windows / Unix
Severity: A remote user can extract session information,
server side code and other sensitive information
anonymously
Author: Ollie Whitehouse (ollie@atstake.com)
Contributions: Florian Walther (scusi@xs4all.nl>)
Simon Kilvington (si.kay@bigfoot.com)
Vendor Status: Vendor notified, Patch available
CVE Candidate: CAN-2002-0385
Reference: www.atstake.com/research/advisories/2003/a040703-1.txt
Overview:
Vignette's Story Server is a web interface to Vignette's
content management suite of applications that operates on a variety
of platforms and web server technologies.
Vignette Story Server allows the publication of both static and
dynamic content. The dynamic pages are created using a TCL[1]
Interpreter. There exists vulnerability within the TCL interpreter
used that allows 'dumping' of the stack of the current running TCL
process when generating dynamic pages.
This vulnerability results in an attacker being able to extract
information about other users sessions, server side code and
other sensitive information.
This vulnerability has been verified on Vignette Story Server v4.1
and v6.0.
Description:
Vignette supports a vast range of dynamic content via it's
content management system. It allows the use of TCL code to interact
with databases, generate cookies, and wide range of other functions.
When a request is made to a dynamic page which accepts user input
there exists an issue when a large number of " and > characters are
input to the TCL interpreter. The effect is that the TCL interpreter
will crash returning to the user the data that was on the stack at
the current time.
- From @stake's testing it has been observed the most likely way to
generate the crash is a with a combination of around 214 " and >
characters. Contained below is an example URL that if populated
would return a large amount of data.
https://www.example.co.uk/securelogin/1,2345,A,00.html?Errmessage
="x214>x214 [line wrapped]
If above URL is submitted when there is a large number of users
performing dynamic functions within the site (i.e. logging in or
performing a search) then a large amount of sensitive TCL code will
be available upon the stack and send to the attacker.
It should be noted that this vulnerability can be exploited
continuously without any effect on the availability of the site in
question, thus allowing an attacker to effectively wait until they
have enough data to achieve their end goal.
Timeline*:
Jan. 28, 2003 Email contact at Vignette on 28th with details of
vulnerability. Recieve questions regarding
vulnerability and respond accordingly.
February 2003 Vignette confirms they have not been able to reproduce
@stake calls Vignette contact to explain vulnerability,
understand the product is not affected in it's latest
incarnation due to it being Java rather than TCL.
Contact says they would like affected customers to
upgrade. @stake offers via voice and e-mail to
reproduce issue if Vignette provide Internet accessible
host. @stake conducts another phone call with Vignette
to explain the issue and discuss possible alternatives
and solutions @stake has been suggesting to clients.
March 2003 @stake contact Vignette requesting an update.
Vignette states that questions regarding this issue
should be submitted by affected customers via their
Vignette support contract.
April 4, 2002 Vignette responds that the issue has been fixed and
supplies patch information.
* It should be noted that @stake customers were effected by this
issue and our first priority was to not put them at increased risk.
Vendor Response:
The problem is fixed and a patch is available. Any Vignette customer
who has a security concern with their Vignette deployment should
contact Vignette Technical Support through normal channels. Those
channels include support@vignette.com,
contacting Technical Support in the Americas at 1 888 846 6907,
Europe, Middle East and Africa 44(0)1628772299 and Asia Pacific
Australia 1 800 110 118 Asia Pacific New Zealand, Singapore, Hong
Kong, Taiwan & China: +800 110 11811 Asia Pacific All Others
61.2.9455.5099. Additionally, customers have the following resources
available at
http://support.vignette.com/VOLSS/KB/View/1,,5360,00.html
@stake Recommendations:
If you are you have a dynamic application that receives user input
you should install the patch.
Alternatively, employ string length checks upon user submitted
data. @stake has discovered requests under about 100 bytes rarely
yield any sensitive information.
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has
assigned the following names to these issues. These are candidates
for inclusion in the CVE list (http://cve.mitre.org), which
standardizes names for security problems.
CAN-2002-0385 Story Server sensitive information disclosure
@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/
@stake Advisory Archive:
http://www.atstake.com/research/advisories/
PGP Key:
http://www.atstake.com/research/pgp_key.asc
@stake is currently seeking application security experts to fill
several consulting positions. Applicants should have strong
application development skills and be able to perform application
security design reviews, code reviews, and application penetration
testing. Please send resumes to jobs@atstake.com.
Copyright 2003 @stake, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBPpGF60e9kNIfAm4yEQJPvwCg6FqAgKrJU9hvoVFTUQ5mfPIEqaMAoKI7
YSizsjE3r94kt4X7iSXIlwVQ
=zkG0
-----END PGP SIGNATURE-----